Lost Device Means PHI of 660 Eastern Maine Medical Center Patients Could Be at Risk

A portable hard drive that has gone missing from the State Street facility, in Bangor, ME of Eastern Maine Medical Center. The group is now notifying 660 clients that some of their protected health information could have been exposed.

The missing device did not have encryption and data on the device could be accessed without no password requirement. While it has not been confirmed if it was stolen, but the device could not be located during a thorough search. The external drive was last spotted in its usual resting place on December 19, 2017 and was not there on December 22 when it was sought again.

The hard drive was owned to a business associate of Eastern Maine Medical Center and contained restricted patient information. No Social Security credentials, financial history, or health insurance details were present on the device, only complete names, birth dates, dates of service, medical record numbers, one-word condition descriptors, and images.

The patients that may have been affected by the breach had visited the medical facility for cardiac ablation procedures from January 3, 2011 to December 11, 2017. Not all client who visited the medical facility for those procedures may have been affected. Some patients of the center had their data stored in another place.

As it may have been a theft, the incident has been reported to law enforcement and investigations into the events surrounding the loss/theft of the hard drive are continuing. A thorough search of the facility was carried out although the device has now been officially defined as lost and patients are now being warned  of the breach by mail.

The delay in sending out breach notification letters was due to the time taken to go through the facility and record which patients’ PHI was stored on the device in question.

Even though the types of PHI needed to carry out identity theft were not exposed, all patients impacted by the missing device have been offered complimentary identity theft monitoring and protection services for a period of 12 months as a precautionary measure.


Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for NetSec.news. Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: https://twitter.com/ElizabethHzone